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1 . (Origin 
comprising 

definin|g 
computing 

using 
communication 
event. 



2. 



al) A method of improving intrusion detection in a computing networl<, 
of: 

intrusion suspicion levels for inbound communications destined for a 
delvice on the computing networl<; and 

defined intrusion suspicion levels to detemnine if a particular inbound 
destined for the computing device should be treated as an intmsion 



slips ' 



tie 



(Original) The method according to Claim 1 , further comprising steps of: 
defining a sensitivity level for filtering intrusion events; and 
determining the intrusion suspicion level of the particular inbound 
communication; 

wherein the using step compares the sensitivity level to the determined intrusion 
suspicion levoi. 



3. 

comprises 
which signal 



(Origirjai) The method according to Claim 2, wherein the determining step further 
coimparing conditions in the computing device to predetenmined conditions 
potential intrusion. 



ill 



4. (Orl 
computing 



Igirai) 



The method according to Claim 3. wherein the conditions In the 
d€ivice comprise contents of the particular inbound communication. 



5. (Origirai) The method according to Claim 4. wherein the conditions in the 
computing device further comprise a protocol state of a protocol stacic which processes 
the particular inbound communication. 

6. (Origirai) The method according to Claim 1 , further comprising the step of taking 
one or more defensive actions when the using step detemiines that the particular 
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inbound comhiunication should be treated as an intrusion event. 

7. (Original) The method according to Claim 6, wherein the defensive actions are 
determined by consulting intrusion detection policy information. 



8. 

policy 



(Origirjal) The method according to Claim 6, wherein the intrusion detection 
information is stored in a network-accessible repository. 



rigir^al) The method according to Claim 1 , wherein the using step further 
the particular Inbound communication to one or more attack 



9, (O 

comprises cqmparing 
signatures 



1 0. (Origirjal) The niethod according to Claim 9, wherein at least one of the attack 
signatures is a class signature representing a class of attacks. 



11. (Origi 
specified as 
detection 
using step 
an intrusion 



12. 

the computinh 



13. (Ori 
within layer- 
the computind 



14. (Origin 
network dew le 



r al) The method according to Claim 9, wherein the attack signatures are 
(»nditk}ns in intrusion detection rules, and wherein each of the intrusion 
rules further comprises one or more actions that are to t:>e taken when the 
d€|termines that the partk;ular inbound communk:atlon shouM be treated as 



event. 



(Origirjal) The method according to Claim 1 , wherein the using step operates in 
device for which the particular Inbound communication is destined. 



giral) 



The method according to Claim 12, wherein the using step operates 
sl^ecific intrusion detection logic executing in a protocol stack mnning on 
device. 



al) The method according to Claim 1 , wherein the using step operates in a 
which analyzes communications directed to the computing devtee for 
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15. 



(Origi 
for 

conditions 



igiral 



each 



should be 
inbound 
determined 
of conditions 



I) The method according to Claim 1 , further comprising steps of: 
of a plurality of potential intrusion events, defining a set of one or more 
which describe the potential intrusion event; 
associ ating a sensitivity level with each of the sets of conditions; and 
determining a suspicion level of the particular inbound communication; 
wherein the using step determines that the particular inbound communication 
treated as an intrusion event when conditions pertaining to the particular 
comfnunication match a selected one of the sets of conditions and the 

s jspicion level maps to the sensitivity level associated with the selected set 



1 6. (Withdrawn) A method for improving intrusion detection in a computing network, 
comprising steps of: 

classif /ing an inbound communication destined for a computing device on the 
computing ne twork as to an intrusion class which is applicable to the inbound 
communication; and 

determining whether the applteable intrusion class has one or more associated 
intrusion dete ctlon policy specifications, and if so, performing actions specified in the 
one or more associated intrusion detection policy specifications. 

17. (Withdrawn) The method according to Claim 16, wherein the actions include 
writing a record describing the inbound communication to a file, wherein the record 
includes the applicable intrusion class. 

18. (Withdlrawn) The method according to Claim 17, wherein the record includes an 
identification Df a code element where the inbound communk:ation was processed. 

19. (Withdrawn) The method according to Claim 18, further comprising the step of: 
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determining, for each of the records of the file, whether the intrusion class and 
identification of the code element identify a specific attacl<, and if so. creating an 
analysis record for the identified specific attacl^. 

20, (Withdrawn) The method according to Claim 1 8, further comprising the step of: 
deternnning, for each of the records of the file, whether the intrusion class and 
of the code element identify a specific attack, and if not, performing steps 



identification 
of: 



an analysis 
signature, 



locating packet data pertaining to the record; 
comparing the located packet data to attack signatures; and 
if a matching attack signature is located by the comparing step, creating 
record for a specific attack which corresponds to the matching attack 
othenvise creating an analysis record for the intrusion class. 



and 



21. 

further 

communication 
keywords wh 
associated 



22. 

comprising: 

means 
destined for 

mean$ 
inbound comhnunication 
intrusion event 



(Withe rawn) The method according to Claim 16, wherein the classifying step 
compjises locating an attack signature which matches the inbound 

I, and the determining step further comprises using one or more 
ch are associated with the located attack signature to retrieve the 
inltrusion detection policy specifications. 



(Origir al) A system for improving intrusion detection In a computing network, 



for defining intrusion suspicion levels for inbound communications 
computing device on the computing network; and 
for using the defined intrusion suspicion levels to determine if a particular 
destined for the computing device should be treated as an 



23, (Origirjal) The system according to Claim 22, further comprising: 

mean$ for defining a sensitivity level for filtering intrusion events; and 
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mean£ for determining the Intrusion suspicion level of the particular inbound 
communication; 

wherein the means for using the defined intrusion further comprises means for 
comparing th 3 sensitivity level to the determined intrusion suspicion level. 

24. (Originjal) The system according to Claim 23, wherein the means for detenmining 
further compiises means for comparing conditions in the computing device to 
predetermine|d conditions which signal a potential Intrusion. 

25. (Originjal) The system according to Claim 22, further comprising means for taking 
one or more defensive actions when the means for using determines that the particular 
Inbound cominunlcatlon should be treated as an intmsion event, wherein the defensive 
actions are di»termined by consulting intrusion detection policy information. 



26. 

comprises 
attack 
detection 
or more 
particular 



27. 



(Origiral) The system according to Claim 22, wherein the means for using further 

moans for comparing the particular inbound communication to one or more 
signatures, wherein the attack signatures are specified as conditions in intrusion 
rules, and wherein each of the intrusion detection ailes further comprises one 
actiolns that are to be taken when the means for using determines that the 
inbound communteation should be treated as an intrusion event. 



{Origiral) The system according to Claim 22, further comprising: 
for each of a plurality of potential intrusion events, means for defining a set of 
one or more conditions which describe the potential intrusion event; 

means for associating a sensitivity level with each of the sets of conditions; and 
means for determining a suspicion level of the particular inbound 
communication; 

wherein the means for using detennines that the particular inbound 
communication should be treated as an intrusion event when conditions pertaining to 
the particular inbound communk:ation match a selected one of the sets of conditions 
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and the deteilmined suspicion level maps to the sensitivity level associated with the 
selected set (bt conditions. 



ithcrawn) A system for Improving intrusion detection in a computing network, 



28. (Wi 
comprising: 

means; 
device on the 
inbound 

mean$ 
associated 
specified in 



for classifying an Inbound communication destined for a computing 
computing network as to an intrusion class which is applicable to the 
comfnunlcation; and 

for determining whether the applicable intrusion class has one or more 
In^ruskm detection policy specifications, and if so, perfomning actions 
tine one or more associated intrusion detection poiicy specifications. 



29. (Withdrawn) The system according to Claim 28, wherein the actions Include 
writing a recc rd describing the inbouruj communication to a file, wherein the record 
includes the iipplicable Intrusion class and an identification of a code element where the 
inbound comrnunication was processed. 

30. (Withdrawn) The system according to Claim 29, further comprising: 
mean£i for detemiining, for each of the records of the file, whether the intrusion 

class and identification of the code element identify a specific attack, and if so, creating 
an analysis nicord for the identified specific attack, and If not, means for: 
locating packet data pertaining to the record; 
comparing the located packet data to attack signatures; and 
if a matching attack signature is located by the means for comparing, 
creating an abalysis record for a specific attack which corresponds to the matching 
attack signatjire. and otherwise creating an analysis record for the intrusion class. 

31 . (Withdrawn) The system according to Claim 28, wherein the means for 
classifying fu iher comprises means for locating an attack signature which matches the 
inbound communication, and the means for determining further comprises means for 
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using one or more keywords which are associated with the located attack signature to 
retrieve the associated intrusion detection policy specifications. 



32. (Originlal) 
computing nqtwork 
computer-realdable 



A computer program product for Improving intrusion detection in a 
, the computer program product embodied on one or more 
media and comprising: 
compute r^readable program code means for defining intrusion suspicion levels 
c3mmunications destined for a computing device on the computing 



level of the 

where 
sensitivity 



level 



34. (Origii 
computer-i 
readable 
predetermine|d 
computing 



Serial No< 



for inbound 
network; and 

compi ter-readable program code means for using the defined intrusion 
suspicion levels to determine if a particular inbound communication destined for the 
computing device should be treated as an intrusion event. 

33. (Origifjal) The computer program product according to Claim 32, further 
comprising: 

computer-readable program code means for defining a sensitivity level for 
filtering intrus ion events; and 

computer-readable program code means for detemiining the Intnjslon suspicion 
particular inbound communication; 
n the computer-readable program code means for u^ng compares the 
to the determined intrusion suspicion level. 



rial) 



The computer program product according to Claim 33, wherein the 
readable program code means for determining further comprises computer- 
program code means for comparing conditions in the computing device to 
conditions which signal a potential intrusion, the conditions in the 
device comprising contents of the particular inbound communication. 



35. (Orlglrjal) The computer program product according to Claim 33. wherein the 
computer-rea|dable program code means for determining further comprises computer- 
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readable 
predetermindd 
computing device 
protocol stat^ 



program code means for comparing conditions in the computing device to 
conditions which signal a potential intrusion, the conditions in the 

comprising contents of the particular inbound communication and a 
of a protocol stack which processes the particular inbound 



39. (Origirjal) 
computer-readable 
analyzes corrlimunications 
inbound comhnunication 



communicatlpn 

36. (Origirjal) The computer program product according to Claim 32, further 
comprising computer-readable program code means for taking one or more defensive 
actions when the computer-readable program code means for using determines that 
the particular inbound communication should be treated as an intrusion event, wherein 
the defensive actions are determined by consulting intrusion detectksn policy 
Information s):ored in a policy repository. 

37. (Origirjal) The computer program product according to Claim 1 , wherein the 
computer-re£ dable program code means for using further comprises computer- 
readable program code means for comparing the particular Inbound communication to 
one or more attack signatures, wherein at least one of the attack signatures is a class 
signature representing a class of attacks. 

38. (Original) The computer program product according to Claim 32, wherein the 
computer-res dable program code means for using operates In the computing device for 
which the paiticular inbound communication is destined. 



The computer program product according to Claim 32, wherein the 
program code means for using operates in a network device which 
directed to the computing device for which the partk:ular 
is destined. 



1 40. (Origiqal) The computer program product according to Claim 32, further 

2 comprising: 
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3 compLiter-readable program code means for specifying, for each of a plurality of 

4 potential intru sion events, a set of one or more conditions which describe the potential 

5 intrusion event; 

6 computer-readable program code means for associating a sensitivity level with 

7 each of the s sts of conditions; and 

8 compiter-readable program code means for determining a su^icion level of the 

9 particular inbound communication; 

10 where n the computer-readable program code means for using determines that 

11 the particular inbound communication should be treated as an intrusion event when 

12 conditions pertaining to the particular inbound communication match a selected one of 

13 the sets of cc nditions and the determined suspicion level maps to the sensitivity level 

14 associated w th the selected set of conditions. 

1 41 . (Withe rawn) A computer program product for improving intoision detection in a 

2 computing m^twork. the computer program product embodied on one or more 

3 computer-ree dable media and comprising: 

4 computer-readable program code means for classifying an Inbound 

5 communication destined for a computing device on the computing network as to an 

6 intrusion class which is applicable to the inbound communication; and 

7 computer-readable program code means for detemiining whether the applicable 

8 intrusion class has one or more associated intrusion detection policy specifications, and 

9 if so, performing acttons specified in the or^ or more associated intrusion detection 
10 policy specifii nations. 

1 42. (Withe rawn) The computer program product according to Claim 41 , wherein the 

2 actions include writing a record describing the inbound communication to a file, wherein 

3 the record includes the applicable Intrusion class and an identification of a code 

4 element whei e the inbound communication was processed. 

1 43, (Withe rawn) The computer program product according to Claim 42, further 
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2 comprising: 

3 computer-readable program code means for determining, for each of the records 

4 of the file, wti ether the intrusion class and Identification of the code element identify a 

5 specific attac<, and if so, computer-readable program code means for creating an 

6 analysis record for the Identified specific attack, and if not, computer-readable program 

7 code means or: 

8 locating packet data pertaining to the record; 

9 comparing the located packet data to attack signatures: and 

10 if a matching attack signature is located by the computer-readable 

11 program codo means for comparing, creating an analysis record for a specific attack 

12 which corres|)onds to the matching attack signature, and otherwise creating an analysis 

13 record for the intrusion class. 

1 44. (Withe rawn) The computer program product according to Claim 41 , wherein the 

2 computer-rea dable program code means for classifying further comprises computer- 

3 readable pro gram code means for locating an attack signature which matches the 

4 inbound communication, and the computer-readable program code means for 

5 determining further comprises computer-readable program code means for using one 

6 or more keyv^ords which are associated with the located attack signature to retrieve the 

7 associated intrusion detection policy specifications. 
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